Fordham Law


4 Questions Parents Should Ask About Student Data Security

Joel Reidenberg in US News, January 13, 2014

Media Source

Student data has the ability to transform education, experts say.

Teachers can tailor instruction using student grades, and counselors can use attendance and behavior records to identify at-risk high school students before they become dropout statistics.

"We can't afford not to use data," says Aimee Guidera, founder and executive director of the Data Quality Campaign. Districts also cannot afford to let their students' data fall into the wrong hands, she says.

Safeguarding student privacy and ensuring data security should be a top priority for school officials, experts say, especially when districts contract with outside vendors to store or manage student information.

Unfortunately, this isn't always the case, says Joel Reidenberg, a professor at Fordham University Law School and co-author of a 2013 report on privacy and educational records.

Almost every school district in the country uses cloud computing – think Google Drive, but on a larger scale – to house information such as grades, attendance records, bus routes and health records. Most districts contract with a third-party vendor to house and manage the data.

Schools' contracts with vendors often do not clearly spell out how the information can and cannot be used, Reidenberg says, referring to the report's findings.

"Districts were by and large surrendering control of student information," he says, noting that few contracts restricted the sale and marketing of student information. "It was real evidence that districts were not maintaining control of their student information when they signed up for cloud services."

School officials often did not know exactly what information was being given to the vendors. Officials also failed to inform parents, in most cases, he says.

To get a handle on how schools are managing student data, parents should ask administrators these four questions.

1. What is being collected and how is it used?

The information collected on students often goes beyond grades and attendance. Many schools record disciplinary actions, such as suspension or expulsion, as well as student health records, including pregnancies and mental illness.

Parents should understand the full spectrum of what is being collected on their teen, as well as how that information is used, Guidera says. If schools aren't using specific data points, parents should ask the school to stop collecting it and take it off their child's record.

2. How is the data stored?

Whether the school houses data on-site or with a third-party vendor can have serious implications for student privacy. Parents should ask where the information is stored, as well as what measures are taken to protect their teen's identity.

3. Who has access to the data?

Access to student data should be restricted to teachers and designated staff within the school or district, but lax vendor contracts might make data accessible to a wider audience. It is important for parents to ask school officials to specify who can view student information and under what circumstances.

"Most districts at this point can't answer those questions because it hasn't been, to be blunt, a priority," Guidera says.

4. When does it expire?

Students are in school for a fixed number of years, but their data can live on in the district's student information system long after they graduate and turn 18. Vendors could also retain student data even after their contract with the district ends, Reidenberg says.

"We found that cloud service agreements failed to provide data security or data deletion," he says, referring to contracts analyzed for the Fordham study. "Only 13 percent required at the end of the contract, data be deleted."